2010 Virginia RIMS and PRIMA 2010 Virginia RIMS and PRIMA ConferenceConference October 5, 2010 October 5, 2010
Business Impact Analysis: Business Impact Analysis: The Road Map to Managing RisksThe Road Map to Managing Risks
Understanding risks in quantifiable terms provides the roadmap
The need for information…
Measures the enterprise-Measures the enterprise-wide impacts to an wide impacts to an organization in the event of a organization in the event of a major disruption to key major disruption to key business processesbusiness processesFinancial $ quantification of Financial $ quantification of
specific exposuresspecific exposuresApplied to internal as well as Applied to internal as well as
external processes / facilitiesexternal processes / facilities
Business Impact Analysis (BIA)Business Impact Analysis (BIA)
The Evolving LandscapeThe Evolving Landscape
BUSINESS Competitive pressure Reduced time to market Margin pressure
Operational efficiency High asset utilization Lean manufacturing
Corporate governanceRegulatory complianceNeed for transparency
Executive accountability
ConsolidationsGlobal supply chains
& economic conditions
Business model complexities / silos
The Evolving LandscapeThe Evolving Landscape
Internal risksInternal risks• Traditionally covered ?Traditionally covered ?
External risks?External risks?• Do risk management efforts match?Do risk management efforts match?⇒ The distinction between internal and external is The distinction between internal and external is
becoming more blurrybecoming more blurry
⇒ The property risk blind spotThe property risk blind spot
Pressures lead to increasing risks
and accountability to manage risk
And yet…And yet…
8
SUPP
LY C
HA
IN M
AN
AG
EMEN
T
QU
ALI
TY M
AN
AG
EMEN
T
RIS
K M
AN
AG
EMEN
T
DIS
AST
ER R
ECO
VER
Y
FAC
ILIT
IES
MA
NA
GEM
ENT
&
RIS
K IM
PRO
VEM
ENT
SEC
UR
ITY
CR
ISIS
CO
MM
UN
ICA
TIO
NS
&
PUB
LIC
REL
ATI
ON
S
HEA
LTH
& S
AFE
TY
KN
OW
LED
GE
MA
NA
GEM
ENT
EMER
GEN
CY
MA
NA
GEM
ENT
Response: The BCM ‘umbrella’Response: The BCM ‘umbrella’
Courtesy of the Business Continuity Institute
BUSINESS CONTINUITY MANAGEMENT
DesignFor
Resilience
Understand your
business
Implement your
continuity strategies
Keep continuity
alive
Develop your
continuity strategies
BIAAnalysis / prioritization
BC / Ops Strategies
The BCM ModelThe BCM Model
A few basic assumptionsA few basic assumptions
BCP: Scenario neutralBCP: Scenario neutral ProbabilitiesProbabilities
• Factor into crisis management, not BCPFactor into crisis management, not BCP• Outage time is the key consideration with Outage time is the key consideration with
recovery strategiesrecovery strategies
ScopeScope• Entire facilityEntire facility
Worst case scenarios DO happen…plan on it and you’re ready for anything
To know where to direct limited resources, you must determine which activities are most critical to maintaining continuity and achieving your strategic objectives
How would the current level of understanding be assessed?
•Revenue streams, resilience and risks?
•Interdependencies between revenue streams?
•Mitigation capabilities?
•Ultimate exposures?
Design for ResilienceDesign for Resilience
Understandyour
business
Developing BC strategiesDeveloping BC strategies
Prevent losses happening in the first place by protecting your critical processes
Make changes now to critical process in your business model to make it more resilient
Develop plans that you can implement to maintain your business if the worst happens
Specific $ estimates allow for easier cost / benefit evaluation
Information sharing is critical
Finance
Supply chain
Operations
Risk Management
to create a prioritization map
Execution – Business Model Analysis
Firm Infrastructure – Finance
Human Resources
Information Technology
Purchasing/Procurement
Inbound Logistics
Outbound LogisticsOperations Marketing
& Sales Service
Profit
Questionnaires, with follow-up interviews
Dependency MappingDependency Mapping
Understanding the relationship between revenue / margin Understanding the relationship between revenue / margin streams and:streams and:
• Locations (can also drive values reporting)Locations (can also drive values reporting)• ProcessesProcesses• ApplicationsApplications• Suppliers (mainly sole sources)Suppliers (mainly sole sources)
Location Product A $15.5M
Product B $100.1M
Product C $75.6M
Product D $355.3M
Location 1 10% 0% 0% 20% Location 2 50% 25% 100% 65% Location 3 100% 100% 100% 100% Location 4 100% 0% 0% 10%
Quantification ApproachQuantification Approach Direct Annual
Impact Interdependent Annual Impacts
Product Lines Impacted
% Impacted
Annual Product Variable
Margin(s) (BI Value)
Annual Product Variable
Margin(s) (BI Value)
Replacement Period - Months
Mitigation - Months Subtotal Rate Amount Rate
Time (months) Amount
Additional Expenses Post-replacement lost sales
1.1. Determine product lines impacted and direct variable margin Determine product lines impacted and direct variable margin impacts on a product line basisimpacts on a product line basis
2.2. Evaluate potential interdependent impacts – other revenue streamsEvaluate potential interdependent impacts – other revenue streams
3.3. Determine Determine currentcurrent replacement / recovery period replacement / recovery period
4.4. Assess mitigation capabilitiesAssess mitigation capabilities
5.5. Consider other loss-cost factorsConsider other loss-cost factors• Additional expenses, related to mitigation or otherAdditional expenses, related to mitigation or other• Customer losses, after recovery; can be huge factorCustomer losses, after recovery; can be huge factor
Internal / External AnalysisInternal / External Analysis
RTO / MTO IdentificationRTO / MTO Identification Maximum tolerable outageMaximum tolerable outage
• The The duration after which an duration after which an organization’sorganization’s viability will be viability will be threatened if the activity cannot be resumed.threatened if the activity cannot be resumed.
Recovery time objectiveRecovery time objective• The specific The specific targettarget time set for time set for resumption of performance of an resumption of performance of an
activity / process / application, etc. after an incidentactivity / process / application, etc. after an incident, which , which must must support the MTO.support the MTO.
• Evaluate the gap from current recoveryEvaluate the gap from current recovery
Identification is important, but consider Identification is important, but consider subjectivitysubjectivity• Evaluate against specific $ exposure quantifications via worst-Evaluate against specific $ exposure quantifications via worst-
case scenariocase scenario
Risk evaluationRisk evaluation
Consider the Consider the relationship relationship between physical between physical risk and impact to risk and impact to the business when the business when evaluating risk evaluating risk mitigation strategiesmitigation strategies
Resource directionResource direction
Phoenix
Dallas
HoustonAustin
San Antonio
Orlando
Charlotte
Denver
Beaumont
60
70
80
90
100
$0 $50 $100 $150 $200
Actu
al R
isk
Mar
k Sc
ore
BI Exposure ($M)
BI Exposure vs. Risk Quality
Some examples…Some examples… Capet manufacturing:
chemical supplier Coal mining
interdependency Production bottlenecks Medical device supplier
exposures Sr. management / BOD
support for BCP / RI efforts
Focusing RM resources (RI, BCP, transfer,…)
> $400M
+ Reputation
+ Market Share
+ Shareholder Value
BCM more criticalBCM more critical Prioritized approach Prioritized approach
to make manageableto make manageable• $ quantifications with $ quantifications with
assessment of physical assessment of physical risksrisks
• Optimizes mitigation Optimizes mitigation strategy selectionstrategy selection
• Framework includes Framework includes loss preventionloss prevention
Does the management of internal and external risks match?Does the management of internal and external risks match?
SummarySummary
Eric Jones, CPA, CVA, CBCPFM GlobalAVP, Manager, Business Risk [email protected]